Bug 416541

Summary: DCC policy does not allow integration of SpamAssassin with DCC
Product: Red Hat Enterprise Linux 5 Reporter: Max Kanat-Alexander <mkanat>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: 5.1CC: dwalsh, ebenes, wtogami
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: RHBA-2008-0465 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-05-21 16:06:21 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Audit messages
none
Correct Audit Messages none

Description Max Kanat-Alexander 2007-12-08 13:57:01 UTC 
The current targeted policy ships with a DCC module that allows running a DCC
server, but doesn't allow integrating SpamAssassin with DCC.

You can enable this by editing /etc/mail/spamassassin/v310.pre and uncommenting
the DCC line (near the top of the file).

I've attached a file containing all audit messages generated by DCC while
interacting with SpamAssassin.

Versions:
DCC-1.3.66-21.el5 (from ATRpms)
selinux-policy-2.4.6-106.el5_1.3
selinux-policy-targeted-2.4.6-106.el5_1.3
Comment 1 Max Kanat-Alexander 2007-12-08 13:57:01 UTC 
Created attachment 282021 [details]
Audit messages
Comment 2 Max Kanat-Alexander 2007-12-08 14:06:23 UTC 
Created attachment 282041 [details]
Correct Audit Messages

Oh, I had a few mislabeled files. These are the correct audit messages, ignore
the file I first posted.
Comment 3 Max Kanat-Alexander 2007-12-08 14:18:01 UTC 
Looks like dccproc also wants to setgid when spamassassin first starts up:

type=AVC msg=audit(1197123260.124:4227): avc:  denied  { setgid } for  pid=20268
comm="dccproc" capability=6 scontext=user_u:system_r:dcc_client_t:s0
tcontext=user_u:system_r:dcc_client_t:s0 tclass=capability

That's kind of funny, since dccproc isn't a persistent process. It doesn't try
to setgid when just processing messages. Maybe there's some config it has to
read as the spamassassin user or something.
Comment 4 Max Kanat-Alexander 2007-12-08 14:21:10 UTC 
For those interested, this is what spamassassin does with DCC when it first
starts up:

ec  8 08:20:16 control spamd[20530]: dcc: dccifd is not available: no r/w dccifd
socket found
Dec  8 08:20:16 control spamd[20530]: util: executable for dccproc was found at
/usr/bin/dccproc
Dec  8 08:20:16 control spamd[20530]: dcc: dccproc is available: /usr/bin/dccproc
Dec  8 08:20:16 control spamd[20530]: info: entering helper-app run mode
Dec  8 08:20:16 control spamd[20530]: dcc: opening pipe: /usr/bin/dccproc -H -x
0 < /tmp/.spamassassin20530u370xQtmp
Dec  8 08:20:16 control spamd[20532]: util: setuid: ruid=0 euid=0
Dec  8 08:20:16 control spamd[20530]: dcc: got response: X-DCC--Metrics:
control.trusthosting.net 1113; Body=many Fuz1=many Fuz2=many
Dec  8 08:20:16 control spamd[20530]: info: leaving helper-app run mode
Dec  8 08:20:16 control spamd[20530]: dcc: listed: BODY=999999/999999
FUZ1=999999/999999 FUZ2=999999/999999
Comment 5 Daniel Walsh 2007-12-10 21:51:11 UTC 
Fixed in selinux-policy-2.4.6-107

ou can allow this for now by executing 

# audit2allow -M mypol -i /var/log/audit/audit.log 
# semodule -i mypol.pp
Comment 6 RHEL Program Management 2007-12-10 21:54:21 UTC 
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 7 Max Kanat-Alexander 2007-12-11 19:29:38 UTC 
I have an additional message in my audit logs as of today:

type=AVC msg=audit(1197397990.246:11419): avc:  denied  { read } for  pid=29576
comm="dccproc" name="meminfo" dev=proc ino=4026531842
scontext=user_u:system_r:dcc_client_t:s0 tcontext=system_u:object_r:proc_t:s0
tclass=file

This one's happened several times today.
Comment 8 Max Kanat-Alexander 2007-12-11 21:23:24 UTC 
And now that that's allowed, I get this one:

type=AVC msg=audit(1197405257.573:11626): avc:  denied  { getattr } for  pid=875
comm="dccproc" path="/proc/meminfo" dev=proc ino=4026531842
scontext=root:system_r:dcc_client_t:s0 tcontext=system_u:object_r:proc_t:s0
tclass=file

Sorry for bringing these in one-by-one, but I don't really want to leave SELinux
off on my publicly-accessible server long enough to get the whole series of
messages for this intermittent denial.
Comment 9 Max Kanat-Alexander 2007-12-12 17:33:40 UTC 
And it looks like once per day spamd tries to signal dccproc, for some reason.
I'm guessing this happens if it's in the middle of processing and has to
restart, or something.

type=AVC msg=audit(1197447449.438:12026): avc:  denied  { signal } for  pid=536
comm="spamd" scontext=root:system_r:spamd_t:s0
tcontext=root:system_r:dcc_client_t:s0 tclass=process
Comment 10 Daniel Walsh 2007-12-13 21:00:47 UTC 
Fixed in selinux-policy-2.4.6-108.el5
Comment 14 errata-xmlrpc 2008-05-21 16:06:21 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2008-0465.html